[英]Azure AD login - how to allow user to change Azure account if cached account is wrong for my application
Basic scenario: Azure AD is used as just an authentication provider a web app, the identity retrieved from azure is matched by email to a local identity and a forms auth cookie is issued for api authorization against the app's webapi. 基本方案:Azure AD仅用作Web应用程序的身份验证提供程序,从Azure中检索到的身份通过电子邮件与本地身份进行匹配,并且针对该应用程序的Webapi发出用于API授权的表单身份验证cookie。
Problem: If a user has multiple azure accounts, they may be pre-authenticated when they come to my app. 问题:如果一个用户有多个Azure帐户,则当它们进入我的应用程序时可能会预先经过身份验证。 In this case, when the redirect back to my app occurs there may be no matching user and login cannot complete.
在这种情况下,当重定向回我的应用程序时,可能没有匹配的用户,并且登录无法完成。
Desired Solution: If the cached azure account is invalid for my app, I would like to direct the user back to the microsoft login page with a chance to manually type in their credentials 所需的解决方案:如果缓存的Azure帐户对我的应用程序无效,我想将用户引导回microsoft登录页面,并有机会手动输入其凭据
How do I achieve this, and is there something wrong with this flow? 我如何实现这一目标,此流程有什么问题吗? It seems currently the only way for the user to get into my app is to go to azure and log out of the bad account.
目前看来,用户进入我的应用程序的唯一方法是进入azure并注销不良帐户。 What other methods could achieve a better user experience?
还有哪些其他方法可以实现更好的用户体验? Should I use the auth token from azure and log the user out programatically and then back to azure for another go around?
我是否应该使用Azure的auth令牌并以编程方式将用户注销,然后再回到Azure进行其他处理? Can I hint for azure to prompt the user even if they are logged in already?
我可以提示azure提示用户,即使他们已经登录了吗?
I discovered that I really wanted the prompt=select_account flag on the redirect to azure, but the library I was using made it difficult to determine how to set this. 我发现我真的很想在重定向到azure时使用提示= select_account标志,但是我正在使用的库很难确定如何设置它。 I am using the ms-adal-angular6 library, which is a wrapper for azure-activedirectory-library-for-js.
我正在使用ms-adal-angular6库,该库是azure-activedirectory-library-for-js的包装。
After digging through the code I found a config property that was not documented called extraQueryParameter which when I set to "prompt=select_account" got the behavior close enough to what is needed. 仔细研究代码后,我发现一个未记录的配置属性,称为ExtraQueryParameter,当我将其设置为“ prompt = select_account”时,该行为就足够接近所需的行为。
Ultimately the user must select their account every time, instead of just when the account is wrong. 最终,用户必须每次都选择他们的帐户,而不是仅在错误帐户时选择。 I could most likely get tricky with the error response and redirect back a second time with prompt=select_account to get the behavior I was looking for, although the library doesn't make it easy to change this on the fly either so I may stick with it always on.
我很可能会因错误响应而变得棘手,并使用提示符= select_account再次重定向回第二次以获取所需的行为,尽管该库也无法轻松地即时更改它,因此我可能会坚持使用它总是在。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.